Deploying transparent data encryption
https://dba.stackexchange.com/questions/164676
-
06-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have an installation of SQL 2016 Enterprise and my boss want to deploy TDE. I googled online and all the instruction said about "you can use a self sign certificate for test/dev purpose". Most guide just said backup the master key and cert and that's it.
I have two SQL Server, they sit on two separate domain. I want to make sure the database encrypted on one server can be restored on the other server.
What is the proper way and step that should be applied to a production server. I think there is more than just creating a self sign cert and back it up somewhere safe.
Solution
What you've described is really it. Self-signed keys are just fine for TDE in production as they will not need to be verifiable remotely.
Having said that, using EKM apparently adds another layer of security. See here and here.
But for self-signed, you can test your multi-domain requirement (which I'm quite sure makes no difference) using this info.
OTHER TIPS
This article has a great step through exactly how to enable TDE. This includes generating keys/certificates, everything. When you turn TDE on, it will start encrypting in the background as well as when pages are accessed or flushed to disk.
Also, sidenote, TempDB also gets encrypted so if you have other DBs/SPs that aren't encrypted and use TempDB, there may be a slight performance hit when you lay data down in TempDB and pick it back up. You're on 2016 so you still get native backup compression with TDE (hooray!)
http://joeysbasisblog.blogspot.com/2013/10/enable-or-disable-transparent-data.html
There really aren't a lot of steps to implement TDE. The design goal is to make this simple and transparent to apps (hence the name). It does impact more than the user database (e.g. tempdb gets encrypted, tlogs are not protected until cycled, etc...) and there are some performance considerations (especially if you are already under CPU pressure) but actual steps to implement are simple. Just make sure you remember to backup the certificate and keep it in a secure location in case you need to restore to a new/rebuilt instance.
The product documentation provides a lot of details on the technology, how to implement, the side effects, how to maintain, etc... Check it out at https://msdn.microsoft.com/en-us/library/bb934049.aspx
If you need to move the TDE enabled database to another instance/server, you do need to backup/restore the cert to the new instance/server. Details documented at https://msdn.microsoft.com/en-us/library/ff773063.aspx
Check the docs out and come back with specific questions. It really isn't complicated to implement. Just remember that it protects against very specific threats. It's not the cure all for database security ills.
